OpenID, the challenge Attributes

11122008

So what’s the fuss about openID? Well the idea are to have one id provider for all the sites that require authentication.

And if you go a bit further and you do at sometime, you’ll want to get some details about the user, like email or full name. So the guys at openID implemented something called attribute exchange. And if you are in the java world like I am you want something simple, so I turned to openID4Java. The idea are that you let the user put in the id on your web page just something like johndoe.openid.org and then you forward the user to openid.org and lets openid.org validate your user and then openid.org will forward the user back to you using an url you specified. And if you really need some properties, you can add a sreg (OpenID Simple Registration Extension) for each property to make the user enter it at the provider ( however not all providers supports these things ).

The code that recieves the response from the provider:
// --- processing the authentication response ---
public User verifyResponse(HttpServletRequest httpReq) {
try {
// extract the parameters from the authentication response
// (which comes in as a HTTP request from the OpenID provider)
ParameterList response = new ParameterList(httpReq
.getParameterMap());

// verify the response; ConsumerManager needs to be the same
// (static) instance used to place the authentication request
VerificationResult verification = manager.verify(receivingURL
.toString(), response, discovered);

So the idea are good and the authentication works, but my problem are that I cannot get the providers to provide the ax properties. So I’ll be following up on howto do this in this post. I hope I succeed at some point, because for me openid without ax are almost worthless. At this point I dont know if it’s the openID4java implementation or the openID providers. If you have any pointers on howto do this please comment

6 responses

Note that Attribute Exchange is just an extension: there is no obligation for an OP to provide it. Unfortunately, it indeed seems to be the case that many of the OPs do not seem to provide ax. Also, the big players (Yahoo, Google…) are OPs, but won’t let you log into their systems with OpenIDs from other domains. So, they’re not really using OpenID like it was intended to be.

Thanks a lot. I was hoping that were just doing something wrongly 😦 I’ll continue my quest though. But I guess just listing which OP’s you support in your web app sort of ruin the idea though..
iI
I hate the fact though that you can say your system are openId compliant which should really mean that you can log in with any openID, but then have to tell people that their provider are unsupported if it dont support AX or SREG, I guess I could then just require the user to enter email and name if their OP dont support transfering..

I am facing the same problem i.e. unable to get the ax attributes. The statement “authSuccess.hasExtension(AxMessage.OPENID_NS_AX)” always returns false. This is really discouraging. I wonder how sites liek Stackoverflow do it then.